Monday 14 April 2014

Document finger printing with DLP in Exchange 2013 SP1

Exchange 2013 SP1 has introduced many new features, one of these features is document finger printing for Data Loss Prevention.

DLP is available to administrators via the EAC or through a set of Powershell commands.

In the EAC Data Loss Prevention sits under compliance management

With Exchange 2013 SP1 we can immediately see the impact document finger printing has made in the EAC as it is clearly visible to the administrator.

So let's create a document finger print from a document template.

I  have created in Microsoft Word a simple document template with a detailed page footer. With document finger printing we can upload this template into DLP, and then any documents that are sent by a user that match the heuristics of my template will trigger DLP into action.

Let's upload my document to DLP. I click on 'Manage document fingerprints'

I select Add and give the new document finger print a name and description

I select add to upload my document template

Once uploaded (and note I can upload multiple documents) click 'save'

So I now have a document finger print uploaded and can see it under 'Oliver Test'

However upon closing the window I am back to data loss prevention and no DLP policies are configured

This is because we now have to create one, matching it against our document finger printing template we have just created.

Click + to create a new DLP policy rule and select 'New customer DLP policy'

Give the new custom policy a name, set it to enabled, and leave it for the time being as 'Test DLP policy without Policy Tips'

Once saved we need to open it

We can now specify some rules. Select rules in the left pane

We'll add a new rule

I will create a rule based on 'Notify sender when sensitive information is sent outside the organization'

I am leaving the rule for this demo purpose on it's defaults and will drill into 'Select sensitive information types' as shown above

From here I can add my document finger print template policy rule

Once added it is appended to the sensitive information types. Note I can add more If I wished, simplifying the possible need to add additional DLP policies.

We must now create some rules

I am choosing to create an incident report and send it to someone in my organisation

And include certain message properties I am interested in

So what happens if someone send an email with a document that matches my template?

Once the sender has sent the email, the person or group chosen in the rule to be alerted if someone sends a document matching the finger print are alerted immediately

You can see it includes the message properties I selected and also a copy of the email – which I specified in the custom DLP policy.

This is a fantastic feature in Exchange 2013 SP1 that allows organisations to create DLP finger prints for all corporate documents and then create DLP policy workflows to ensure they are controlled and managed in the enterprise with Exchange 2013 Data Loss Prevention.

DLP requires an Enterprise CAL for use, but the cost of the CAL versus the additional cost via third party tools to achieve the same functionality may actually make the CAL up sell and native support the best option for organisations looking to implement this feature.

For more information on Data Loss Prevention document finger printing in Exchange Server 2013 SP1 please see the following articles

For a comprehensive list of DLP powershell cmdlets see:

Take care,

Oliver Moazzezi - MVP Exchange Server

No comments: